/*
 * Demoiselle Framework
 * Copyright (C) 2011 SERPRO
 * ----------------------------------------------------------------------------
 * This file is part of Demoiselle Framework.
 * 
 * Demoiselle Framework is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License version 2
 * as published by the Free Software Foundation.
 * 
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 * 
 * You should have received a copy of the GNU General Public License
 * along with this program; if not,  see <http://www.gnu.org/licenses/>
 * or write to the Free Software Foundation, Inc., 51 Franklin Street,
 * Fifth Floor, Boston, MA  02110-1301, USA.
 * ----------------------------------------------------------------------------
 * Este arquivo é parte do Framework Demoiselle.
 * 
 * O Framework Demoiselle é um software livre; você pode redistribuí-lo e/ou
 * modificá-lo dentro dos termos da Licença Pública Geral GNU como publicada pela Fundação
 * do Software Livre (FSF); na versão 2 da Licença.
 * 
 * Este programa é distribuído na esperança que possa ser útil, mas SEM NENHUMA
 * GARANTIA; sem uma garantia implícita de ADEQUAÇÃO a qualquer MERCADO ou
 * APLICAÇÃO EM PARTICULAR. Veja a Licença Pública Geral GNU/GPL em português
 * para maiores detalhes.
 * 
 * Você deve ter recebido uma cópia da Licença Pública Geral GNU, sob o título
 * "LICENCA.txt", junto com esse programa. Se não, acesse o Portal do Software Público
 * Brasileiro no endereço www.softwarepublico.gov.br ou escreva para a Fundação do Software
 * Livre (FSF) Inc., 51 Franklin St, Fifth Floor, Boston, MA 02111-1301, USA.
 
 * @author Tarcizio Vieira Neto (tarcizio.vieira@owasp.org) <a href="http://www.serpro.gov.br">SERPRO</a>
 * @created 2011
 */
package br.gov.frameworkdemoiselle.security.accesscontrol;

import javax.enterprise.inject.Alternative;
import javax.inject.Inject;

import org.owasp.appsensor.errors.AppSensorException;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.errors.AccessControlException;
import org.owasp.esapi.reference.DefaultAccessController;

import br.gov.frameworkdemoiselle.security.Authorizer;
import br.gov.frameworkdemoiselle.security.authentication.BasicUser;

@Alternative
public class EsapiWrapperAuthorizer implements br.gov.frameworkdemoiselle.security.Authorizer, org.owasp.esapi.AccessController {

	private static final long serialVersionUID = 1L;
	
	private org.owasp.esapi.AccessController accessControllerWrapper = null;
	
	@Inject
	public EsapiWrapperAuthorizer(org.owasp.esapi.AccessController accessController) {
		this.accessControllerWrapper = accessController;
	}
	
	public EsapiWrapperAuthorizer() throws AccessControlException {
		this (DefaultAccessController.getInstance());
	}
	
	public void setWrapper(org.owasp.esapi.AccessController accessController) {
		this.accessControllerWrapper = accessController;
	}
	
	/* 
	 * Implementation of Demoiselle Framework Authorizer methods 
	 * from interface: br.gov.frameworkdemoiselle.security.Authorizer
	 * 
	 * */

	@Override
	public boolean hasRole(String role) {
		BasicUser user = (BasicUser) ESAPI.authenticator().getCurrentUser();
		
		return user.getRoles().contains(role);		
	}

	@Override
	public boolean hasPermission(String resource, String operation) {		
		boolean isAuthorized = false;
		isAuthorized = accessControllerWrapper.isAuthorized("AC 1.1 Permission", new String []{resource, operation});
		
		if (!isAuthorized) {
			new AppSensorException("ACE4", "Evading Presentation Access Control Through Custom POST.", "A POST request is received which is not authorized for the current user and the user could not have performed this action without crafting a custom POST request.");
		}
		
		return isAuthorized;
	}
	
	/* 
	 * Implementation of OWASP ESAPI AccessController methods
	 * from interface: org.owasp.esapi.AccessController
	 * 
	 * */

	@Override
	public boolean isAuthorized(Object key, Object runtimeParameter) {
		// TODO Auto-generated method stub
		return accessControllerWrapper.isAuthorized(key, runtimeParameter);
	}

	@Override
	public void assertAuthorized(Object key, Object runtimeParameter) throws AccessControlException {
		accessControllerWrapper.assertAuthorized(key, runtimeParameter);
	}

	@Override
	public boolean isAuthorizedForURL(String url) {		
		return accessControllerWrapper.isAuthorizedForURL(url);
	}

	@Override
	public boolean isAuthorizedForFunction(String functionName) {		
		return accessControllerWrapper.isAuthorizedForFunction(functionName);
	}

	@Override
	public boolean isAuthorizedForData(String action, Object data) {
		return accessControllerWrapper.isAuthorizedForData(action, data);
	}

	@Override
	public boolean isAuthorizedForFile(String filepath) {
		return accessControllerWrapper.isAuthorizedForFile(filepath);
	}

	@Override
	public boolean isAuthorizedForService(String serviceName) {
		return accessControllerWrapper.isAuthorizedForService(serviceName);
	}

	@Override
	public void assertAuthorizedForURL(String url) throws AccessControlException {
		accessControllerWrapper.assertAuthorizedForURL(url);		
	}

	@Override
	public void assertAuthorizedForFunction(String functionName) throws AccessControlException {
		accessControllerWrapper.assertAuthorizedForFunction(functionName);		
	}

	@Override
	public void assertAuthorizedForData(String action, Object data) throws AccessControlException {
		accessControllerWrapper.assertAuthorizedForData(action, data);		
	}

	@Override
	public void assertAuthorizedForFile(String filepath) throws AccessControlException {
		accessControllerWrapper.assertAuthorizedForFile(filepath);		
	}

	@Override
	public void assertAuthorizedForService(String serviceName) throws AccessControlException {
		accessControllerWrapper.assertAuthorizedForService(serviceName);		
	}
}
